Hacker HECO Chain "scattered" more than 145 million USD via Tornado Cash
The Heco Chain attacker in November 2023 transferred more than 40,000 ETH through the Tornado Cash mixer in the past 8 days in an attempt to disperse assets.
On-chain data from security unit PeckShieldAlert shows that the attacker behind the hack of HECO Chain, the private blockchain of the cryptocurrency exchange HTX (former Huobi) in late November 2023, is in the process of "laundering". money" through the Tornado Cash mixer in the last eight days in an attempt to disperse assets.
As of March 22, 2024, hackers have successfully transferred about 40,391.8 ETH - equivalent to 145.7 million USD - via Tornado Cash in dozens of transactions.
#PeckShieldAlert As of today (22 Mar. 2024, UTC), #HECOBridge exploiters - labeled addresses - have transferred ~$40,391.8 $ETH (equivalent to ~$145.7m) to #TornadoCash within the last 8 days pic.twitter.com/ZfrDvbRQCm— PeckShieldAlert (@PeckShieldAlert) March 22, 2024
As reported, taking advantage of a vulnerability in the HECO Bridge - used to move money between Ethereum (ETH) and HECO Chain - anonymous hackers "extracted" 86 million USD in cryptocurrency including 20.4 million USD ETH, 42.1 million USDT, 16.6 million USD HBTC (Bitcoin on HECO), along with other tokens including USDC, SHIB, LINK, TUSD, UNI.
The money was then quickly moved by the attacker to many separate wallet addresses to avoid being traced and swapped to ETH to avoid being frozen by Tether. However, The Block news site claims that the total loss could be up to 110 million USD when there are additional vulnerabilities from the cooperative.
As soon as he learned about the incident, TRON founder Justin Sun confirmed the hack, announced a temporary suspension of deposits and withdrawals, and pledged to compensate affected users. But until now, HECO Chain has remained silent and has not resumed deposit and withdrawal activities. HECO Chain's Twitter account has no longer been updated since February 2023, making the community even more insecure about the future of this platform.
Notably, this is the third security incident targeting the Cooperative ecosystem owned by Justin Sun in 2023, after two previous attacks of Poloniex (125 million USD loss) and HTX (loss 7.9 million USD). The cooperative convinced the hacker to return the money, in exchange for a bug bounty reward of 5% of the hack value. Poloniex also asked the hacker to pay with a reward of up to 10 million USD, but there has been no response yet.
Tornado Cash is an ETH transaction mixer, once accused by the US government of abetting money laundering through crypto by many hacker organizations, putting Tornado Cash on the sanctions list and ordering the arrest of its two founders. project. Tornado Cash developer Alexey Pertsev is currently being charged by Dutch authorities with money laundering worth $1.2 billion and is awaiting trial on March 26.
However, Tornado Cash's smart contract still operates normally and continues to be used by both crypto users and hackers with high programming skills to hide transactions on Ethereum.
According to a Medium post by community member Gas404, someone has installed malicious code into the backend of the Tornado Cash coin mixing platform. Therefore, the above user deposits are at risk.
The community has found that a malicious javascript code was hidden from the 2-month-old governance proposal made by the alleged Tornado Cash community developer Butterfly Effects from the previous governance proposal 44 and thus we estimate that since Jan 1st the deposit notes…
— Wu Blockchain (@WuBlockchain) February 25, 2024
The article explains that a malicious javascript code is running in the background under the administrative proposal submitted by an individual "posing" as a Tornado Cash programmer on January 1. The above code stealthily directs deposit data to an attacker-controlled server. This move could steal personal information and assets of protocol users.
Also according to Gas404's investigation based on data from Etherscan, a deposit was stolen. In response, Gas404 proposed to revert Tornado Cash to the previous version on IPFS.
To date, Tornado Cash's website and Discord have not yet returned to service, partly reflecting the severity of the attack.
Since being punished by the US Department of Treasury's Office of Foreign Assets Control (OFAC) in August 2022, trading activities on Tornado Cash have become increasingly deep. US authorities arrested Roman Storm, while the other co-founder, Roman Semanov, is still being sought. In that context, hackers have flocked to new money laundering platforms, for example THORChain...